pkgsrc-changes: CVS commit: pkgsrc/mail/mailman

Subject: CVS commit: pkgsrc/mail/mailman
To: None <pkgsrc-changes@NetBSD.org>
From: Manuel Bouyer <bouyer@netbsd.org>
List: pkgsrc-changes
Date: 01/21/2006 16:14:24
Module Name:	pkgsrc
Committed By:	bouyer
Date:		Sat Jan 21 16:14:24 UTC 2006

Modified Files:
	pkgsrc/mail/mailman: Makefile PLIST distinfo
Added Files:
	pkgsrc/mail/mailman/patches: patch-ai patch-aj
Removed Files:
	pkgsrc/mail/mailman/patches: patch-ac

Log Message:
Upgrade to 2.1.7nb1.
Local change (which is why we have PKGREVISION=1)
Fix http://secunia.com/advisories/18449/ (CVE-2005-4153) based on debian
patches.

Changes between 2.1.6 and 2.1.7:
  Security

    - The fix for CAN-2005-0202 has been enhanced to issue an appropriate
      message instead of just quietly dropping ./ and ../ from URLs.

    - A note on CVE-2005-3573: Although the RFC2231 bug example in the CVE has
      been solved in Mailman 2.1.6, there may be more cases where
      ToDigest.send_digests() can block regular delivery.  We put the
      send_digests() calling part in a try/except clause and leave a message
      in the error log if something happened in send_digests().  Daily call of
      cron/senddigests will provide more detail to the site administrator.

    - List administrators can no longer change the user's option/subscription
      globally.  Site admin can change these only if
      mm_cfg.ALLOW_SITE_ADMIN_COOKIES is set to Yes.

    - <script> tags are HTML-escaped in the edithtml CGI script.

    - Since the probe message for disabled users may reach unintended
      recipients, the password is excluded from sendProbe() and probe.txt.
      Note that the default value of VERP_PROBE has been set to `No' from
      2.1.6., thus this change doesn't affect the default behavior.
  New Features

    - Always remove DomainKey (and similar) headers from messages sent to the
      list. (1287546)

    - List owners can control the content filter behavior when collapsing
      multipart/alternative parts to its first subpart.  This allows the
      option of letting the HTML part pass through after other content
      filtering is done.

  Internationalization

    - New language: Interlingua.

  Bug fixes and other patches

    - Defaults.py.in: SCRUBBER_DONT_USE_ATTACHMENT_FILENAME is set to True for
      safer operation.

    - Fixed the bug where Scrubber.py munges quoted-printable by introducing
      the 'X-Mailman-Scrubbed' header which marks that the payload is
      scrubber-munged.  The flag is referenced in ToDigest.py, ToArchive.py,
      Decorate.py and Archiver.  A similar problem in ToDigest.py where the
      plain digest is generated is also fixed.

    - Fixed Syslog.py to write quopri encoded messages when it fail to write
      8-bit characters.

    - Fixed MTA/Postfix.py to check aliases group permission in check_perms
      and fixed mailman-install document on this matter (1378270).

    - Fixed private.py to go to the original URL after authorization
      (1080943).

    - Fixed bounce log score messages to be more consistent.

    - Fixed bin/remove_members to accept no arguments when both --fromall and
      --file= options are specified.

    - Changed cgi-bin and mail wrapper "group not found" error message to be
      more descriptive of the actual problem.
    - The list's ban_list now applies to address changes, admin mass
      subscribes and invites, and to confirmations/approvals of address
      changes, subscriptions and invitations.

    - quoted-printable and base64 encoded parts are decoded before passing to
      HTML_TO_PLAIN_TEXT_COMMAND (1367783).

    - Approve: header is removed from posts, and treated the same as the
      Approved: header. (1355707)

    - Fixed the removal of the line following Approve[d]: line in body of
      post.  (1318883)

    - The Approve[d]: <password> header is removed from all text/* parts in
      addition the initial text/plain part.  It must still be the first
      non-blank line in the first text/plain part or it won't be found or
      removed at all. (1181161)

    - Posts are now logged in post log file with the true sender, not
      listname-bounces. (1287921)
    - Correctly initialize and remember the list's default_member_moderation
      attribute in the web list creation page. (1263213)

    - PEP263 charset is added to the config_list output. (1343100)

    - Fixed header_filter_rules getting lost if accessed directly and
      authentication was needed by login page. (1230865)

    - Obscure email when the poster doesn't set full name in 'From:' header.

    - Preambles and epilogues are taken into account when calculating message
      sizes for holding purposes. (Mark Sapiro)

    - Logging/Logger.py unicode transform option. (1235567)

    - bin/update crashes with bogus files. (949117)

    - Bugs and patches: 1212066/1301983 (Date header in create/remove notice)


To generate a diff of this commit:
cvs rdiff -r1.29 -r1.30 pkgsrc/mail/mailman/Makefile
cvs rdiff -r1.8 -r1.9 pkgsrc/mail/mailman/PLIST
cvs rdiff -r1.9 -r1.10 pkgsrc/mail/mailman/distinfo
cvs rdiff -r1.5 -r0 pkgsrc/mail/mailman/patches/patch-ac
cvs rdiff -r0 -r1.3 pkgsrc/mail/mailman/patches/patch-ai
cvs rdiff -r0 -r1.1 pkgsrc/mail/mailman/patches/patch-aj

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.